cobaltstrike | 2b079ccb33a85b7940c8f2f056c5aef0bc43a15f5a158b8b19c41f080679c031

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5a8988cc40c93223fa13fb6d03bdbff3
SHA1

1d0d74cd16cdbdfb5c502f6ebb85523a2679f9dc
SHA256

2b079ccb33a85b7940c8f2f056c5aef0bc43a15f5a158b8b19c41f080679c031
SHA512

1318106fe80fd6d6af9b9fed04279c6dcbbfdee7afc3fe99f1fa013612d061d651b91fdeac67a91112355a6aa9d3100ea4f3775371156a9f5a08a2d48a3c6201
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibd56utgpPFotBER/mQ32lU4

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023bb9-6.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c82-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-101.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c83-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-20.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2716-15-0x00007FF68DC50000-0x00007FF68DFA1000-memory.dmp	xmrig
behavioral2/memory/3932-88-0x00007FF7231E0000-0x00007FF723531000-memory.dmp	xmrig
behavioral2/memory/2068-78-0x00007FF674430000-0x00007FF674781000-memory.dmp	xmrig
behavioral2/memory/5028-62-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp	xmrig
behavioral2/memory/4332-123-0x00007FF7091E0000-0x00007FF709531000-memory.dmp	xmrig
behavioral2/memory/4252-126-0x00007FF7E0A20000-0x00007FF7E0D71000-memory.dmp	xmrig
behavioral2/memory/2716-129-0x00007FF68DC50000-0x00007FF68DFA1000-memory.dmp	xmrig
behavioral2/memory/3592-131-0x00007FF6E97D0000-0x00007FF6E9B21000-memory.dmp	xmrig
behavioral2/memory/3416-130-0x00007FF6FC080000-0x00007FF6FC3D1000-memory.dmp	xmrig
behavioral2/memory/1028-128-0x00007FF7D1670000-0x00007FF7D19C1000-memory.dmp	xmrig
behavioral2/memory/464-127-0x00007FF64E740000-0x00007FF64EA91000-memory.dmp	xmrig
behavioral2/memory/3744-125-0x00007FF66D480000-0x00007FF66D7D1000-memory.dmp	xmrig
behavioral2/memory/4928-124-0x00007FF604950000-0x00007FF604CA1000-memory.dmp	xmrig
behavioral2/memory/4056-132-0x00007FF641F80000-0x00007FF6422D1000-memory.dmp	xmrig
behavioral2/memory/3680-134-0x00007FF788770000-0x00007FF788AC1000-memory.dmp	xmrig
behavioral2/memory/3608-133-0x00007FF753370000-0x00007FF7536C1000-memory.dmp	xmrig
behavioral2/memory/3068-135-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp	xmrig
behavioral2/memory/2068-136-0x00007FF674430000-0x00007FF674781000-memory.dmp	xmrig
behavioral2/memory/2708-146-0x00007FF6AAAC0000-0x00007FF6AAE11000-memory.dmp	xmrig
behavioral2/memory/2828-151-0x00007FF7139A0000-0x00007FF713CF1000-memory.dmp	xmrig
behavioral2/memory/2272-150-0x00007FF6E4B00000-0x00007FF6E4E51000-memory.dmp	xmrig
behavioral2/memory/548-149-0x00007FF7872E0000-0x00007FF787631000-memory.dmp	xmrig
behavioral2/memory/4148-148-0x00007FF6AF0F0000-0x00007FF6AF441000-memory.dmp	xmrig
behavioral2/memory/3184-147-0x00007FF770920000-0x00007FF770C71000-memory.dmp	xmrig
behavioral2/memory/2068-159-0x00007FF674430000-0x00007FF674781000-memory.dmp	xmrig
behavioral2/memory/3932-220-0x00007FF7231E0000-0x00007FF723531000-memory.dmp	xmrig
behavioral2/memory/2716-222-0x00007FF68DC50000-0x00007FF68DFA1000-memory.dmp	xmrig
behavioral2/memory/3416-224-0x00007FF6FC080000-0x00007FF6FC3D1000-memory.dmp	xmrig
behavioral2/memory/4056-226-0x00007FF641F80000-0x00007FF6422D1000-memory.dmp	xmrig
behavioral2/memory/3608-229-0x00007FF753370000-0x00007FF7536C1000-memory.dmp	xmrig
behavioral2/memory/3680-230-0x00007FF788770000-0x00007FF788AC1000-memory.dmp	xmrig
behavioral2/memory/3068-232-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp	xmrig
behavioral2/memory/5028-234-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp	xmrig
behavioral2/memory/2708-236-0x00007FF6AAAC0000-0x00007FF6AAE11000-memory.dmp	xmrig
behavioral2/memory/4148-238-0x00007FF6AF0F0000-0x00007FF6AF441000-memory.dmp	xmrig
behavioral2/memory/3184-240-0x00007FF770920000-0x00007FF770C71000-memory.dmp	xmrig
behavioral2/memory/548-242-0x00007FF7872E0000-0x00007FF787631000-memory.dmp	xmrig
behavioral2/memory/2272-250-0x00007FF6E4B00000-0x00007FF6E4E51000-memory.dmp	xmrig
behavioral2/memory/2828-252-0x00007FF7139A0000-0x00007FF713CF1000-memory.dmp	xmrig
behavioral2/memory/4332-256-0x00007FF7091E0000-0x00007FF709531000-memory.dmp	xmrig
behavioral2/memory/3592-258-0x00007FF6E97D0000-0x00007FF6E9B21000-memory.dmp	xmrig
behavioral2/memory/4928-255-0x00007FF604950000-0x00007FF604CA1000-memory.dmp	xmrig
behavioral2/memory/4252-262-0x00007FF7E0A20000-0x00007FF7E0D71000-memory.dmp	xmrig
behavioral2/memory/1028-265-0x00007FF7D1670000-0x00007FF7D19C1000-memory.dmp	xmrig
behavioral2/memory/464-261-0x00007FF64E740000-0x00007FF64EA91000-memory.dmp	xmrig
behavioral2/memory/3744-266-0x00007FF66D480000-0x00007FF66D7D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3932	kpangJu.exe
2716	VeuAkoe.exe
3416	IfzzOPi.exe
4056	vOOyTRE.exe
3608	PSSZUMG.exe
3680	qjoVEYD.exe
3068	YnOJsUE.exe
5028	mxYkXWl.exe
2708	fyxlETL.exe
4148	iTeFtKx.exe
3184	MOkueKl.exe
548	oaiEheJ.exe
2272	fmYwbKf.exe
2828	xXkOObt.exe
3592	ausvKcO.exe
4332	YMeWtqE.exe
4928	QPgVvnb.exe
3744	dROidZm.exe
4252	avzKvIb.exe
464	jwiHlSv.exe
1028	NCJhmKo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2068-0-0x00007FF674430000-0x00007FF674781000-memory.dmp	upx
behavioral2/files/0x000a000000023bb9-6.dat	upx
behavioral2/memory/3932-7-0x00007FF7231E0000-0x00007FF723531000-memory.dmp	upx
behavioral2/files/0x0008000000023c82-11.dat	upx
behavioral2/memory/2716-15-0x00007FF68DC50000-0x00007FF68DFA1000-memory.dmp	upx
behavioral2/files/0x0007000000023c87-23.dat	upx
behavioral2/memory/3608-32-0x00007FF753370000-0x00007FF7536C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c89-36.dat	upx
behavioral2/files/0x0007000000023c8a-42.dat	upx
behavioral2/files/0x0007000000023c8b-45.dat	upx
behavioral2/files/0x0007000000023c8c-50.dat	upx
behavioral2/memory/2708-56-0x00007FF6AAAC0000-0x00007FF6AAE11000-memory.dmp	upx
behavioral2/files/0x0007000000023c8f-67.dat	upx
behavioral2/memory/3184-70-0x00007FF770920000-0x00007FF770C71000-memory.dmp	upx
behavioral2/memory/548-77-0x00007FF7872E0000-0x00007FF787631000-memory.dmp	upx
behavioral2/files/0x0007000000023c91-85.dat	upx
behavioral2/files/0x0007000000023c92-94.dat	upx
behavioral2/files/0x0007000000023c95-108.dat	upx
behavioral2/files/0x0007000000023c94-112.dat	upx
behavioral2/files/0x0007000000023c97-120.dat	upx
behavioral2/files/0x0007000000023c96-117.dat	upx
behavioral2/files/0x0007000000023c93-101.dat	upx
behavioral2/files/0x0008000000023c83-96.dat	upx
behavioral2/memory/3932-88-0x00007FF7231E0000-0x00007FF723531000-memory.dmp	upx
behavioral2/memory/2272-86-0x00007FF6E4B00000-0x00007FF6E4E51000-memory.dmp	upx
behavioral2/files/0x0007000000023c90-81.dat	upx
behavioral2/memory/2068-78-0x00007FF674430000-0x00007FF674781000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-72.dat	upx
behavioral2/files/0x0007000000023c8e-71.dat	upx
behavioral2/memory/4148-68-0x00007FF6AF0F0000-0x00007FF6AF441000-memory.dmp	upx
behavioral2/memory/5028-62-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp	upx
behavioral2/memory/3068-49-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp	upx
behavioral2/files/0x0007000000023c88-34.dat	upx
behavioral2/memory/3680-33-0x00007FF788770000-0x00007FF788AC1000-memory.dmp	upx
behavioral2/memory/4056-26-0x00007FF641F80000-0x00007FF6422D1000-memory.dmp	upx
behavioral2/memory/3416-21-0x00007FF6FC080000-0x00007FF6FC3D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c86-20.dat	upx
behavioral2/memory/2828-122-0x00007FF7139A0000-0x00007FF713CF1000-memory.dmp	upx
behavioral2/memory/4332-123-0x00007FF7091E0000-0x00007FF709531000-memory.dmp	upx
behavioral2/memory/4252-126-0x00007FF7E0A20000-0x00007FF7E0D71000-memory.dmp	upx
behavioral2/memory/2716-129-0x00007FF68DC50000-0x00007FF68DFA1000-memory.dmp	upx
behavioral2/memory/3592-131-0x00007FF6E97D0000-0x00007FF6E9B21000-memory.dmp	upx
behavioral2/memory/3416-130-0x00007FF6FC080000-0x00007FF6FC3D1000-memory.dmp	upx
behavioral2/memory/1028-128-0x00007FF7D1670000-0x00007FF7D19C1000-memory.dmp	upx
behavioral2/memory/464-127-0x00007FF64E740000-0x00007FF64EA91000-memory.dmp	upx
behavioral2/memory/3744-125-0x00007FF66D480000-0x00007FF66D7D1000-memory.dmp	upx
behavioral2/memory/4928-124-0x00007FF604950000-0x00007FF604CA1000-memory.dmp	upx
behavioral2/memory/4056-132-0x00007FF641F80000-0x00007FF6422D1000-memory.dmp	upx
behavioral2/memory/3680-134-0x00007FF788770000-0x00007FF788AC1000-memory.dmp	upx
behavioral2/memory/3608-133-0x00007FF753370000-0x00007FF7536C1000-memory.dmp	upx
behavioral2/memory/3068-135-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp	upx
behavioral2/memory/2068-136-0x00007FF674430000-0x00007FF674781000-memory.dmp	upx
behavioral2/memory/2708-146-0x00007FF6AAAC0000-0x00007FF6AAE11000-memory.dmp	upx
behavioral2/memory/2828-151-0x00007FF7139A0000-0x00007FF713CF1000-memory.dmp	upx
behavioral2/memory/2272-150-0x00007FF6E4B00000-0x00007FF6E4E51000-memory.dmp	upx
behavioral2/memory/548-149-0x00007FF7872E0000-0x00007FF787631000-memory.dmp	upx
behavioral2/memory/4148-148-0x00007FF6AF0F0000-0x00007FF6AF441000-memory.dmp	upx
behavioral2/memory/3184-147-0x00007FF770920000-0x00007FF770C71000-memory.dmp	upx
behavioral2/memory/2068-159-0x00007FF674430000-0x00007FF674781000-memory.dmp	upx
behavioral2/memory/3932-220-0x00007FF7231E0000-0x00007FF723531000-memory.dmp	upx
behavioral2/memory/2716-222-0x00007FF68DC50000-0x00007FF68DFA1000-memory.dmp	upx
behavioral2/memory/3416-224-0x00007FF6FC080000-0x00007FF6FC3D1000-memory.dmp	upx
behavioral2/memory/4056-226-0x00007FF641F80000-0x00007FF6422D1000-memory.dmp	upx
behavioral2/memory/3608-229-0x00007FF753370000-0x00007FF7536C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\vOOyTRE.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qjoVEYD.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ausvKcO.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QPgVvnb.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VeuAkoe.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YnOJsUE.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fmYwbKf.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YMeWtqE.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NCJhmKo.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kpangJu.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mxYkXWl.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fyxlETL.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xXkOObt.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\avzKvIb.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IfzzOPi.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PSSZUMG.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MOkueKl.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iTeFtKx.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oaiEheJ.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dROidZm.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jwiHlSv.exe	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3932	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2068 wrote to memory of 3932	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2068 wrote to memory of 2716	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2068 wrote to memory of 2716	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2068 wrote to memory of 3416	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2068 wrote to memory of 3416	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2068 wrote to memory of 4056	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2068 wrote to memory of 4056	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2068 wrote to memory of 3608	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2068 wrote to memory of 3608	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2068 wrote to memory of 3680	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2068 wrote to memory of 3680	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2068 wrote to memory of 3068	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2068 wrote to memory of 3068	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2068 wrote to memory of 5028	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2068 wrote to memory of 5028	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2068 wrote to memory of 2708	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2068 wrote to memory of 2708	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2068 wrote to memory of 3184	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2068 wrote to memory of 3184	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2068 wrote to memory of 4148	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2068 wrote to memory of 4148	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2068 wrote to memory of 548	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2068 wrote to memory of 548	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2068 wrote to memory of 2272	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2068 wrote to memory of 2272	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2068 wrote to memory of 2828	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2068 wrote to memory of 2828	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2068 wrote to memory of 3592	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2068 wrote to memory of 3592	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2068 wrote to memory of 4332	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2068 wrote to memory of 4332	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2068 wrote to memory of 4928	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2068 wrote to memory of 4928	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2068 wrote to memory of 3744	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2068 wrote to memory of 3744	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2068 wrote to memory of 4252	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2068 wrote to memory of 4252	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2068 wrote to memory of 464	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2068 wrote to memory of 464	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2068 wrote to memory of 1028	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2068 wrote to memory of 1028	2068	2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-04_5a8988cc40c93223fa13fb6d03bdbff3_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\System\kpangJu.exe
  C:\Windows\System\kpangJu.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\VeuAkoe.exe
  C:\Windows\System\VeuAkoe.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\IfzzOPi.exe
  C:\Windows\System\IfzzOPi.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\vOOyTRE.exe
  C:\Windows\System\vOOyTRE.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\PSSZUMG.exe
  C:\Windows\System\PSSZUMG.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\qjoVEYD.exe
  C:\Windows\System\qjoVEYD.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\YnOJsUE.exe
  C:\Windows\System\YnOJsUE.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\mxYkXWl.exe
  C:\Windows\System\mxYkXWl.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\fyxlETL.exe
  C:\Windows\System\fyxlETL.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\MOkueKl.exe
  C:\Windows\System\MOkueKl.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System\iTeFtKx.exe
  C:\Windows\System\iTeFtKx.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\oaiEheJ.exe
  C:\Windows\System\oaiEheJ.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\fmYwbKf.exe
  C:\Windows\System\fmYwbKf.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\xXkOObt.exe
  C:\Windows\System\xXkOObt.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\ausvKcO.exe
  C:\Windows\System\ausvKcO.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\YMeWtqE.exe
  C:\Windows\System\YMeWtqE.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\QPgVvnb.exe
  C:\Windows\System\QPgVvnb.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\dROidZm.exe
  C:\Windows\System\dROidZm.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\avzKvIb.exe
  C:\Windows\System\avzKvIb.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\jwiHlSv.exe
  C:\Windows\System\jwiHlSv.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\NCJhmKo.exe
  C:\Windows\System\NCJhmKo.exe
  2⤵
  - Executes dropped EXE
  PID:1028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\IfzzOPi.exe

Filesize
5.2MB

MD5
e63d8860e9bf9baa0cc13d70068c3db6

SHA1
d3a0612a24079ae2a9cf8fd682fdf5081988c968

SHA256
ba245b243836408857c088a5e560760436dd272c3001dbc7372af6bf7bf39e5a

SHA512
43c597da4f834c98e090deee3c11392defad75e04618447f3ee79cac38ea453472148ac2fce723abd22a56f15d1b4f614e351dfcc0ca28946eee9770c7e16133

Download Submit
C:\Windows\System\MOkueKl.exe

Filesize
5.2MB

MD5
2a2b9ae9a32723b31e597ebfa1a2b4a6

SHA1
d2118d7ba476b6f3c96da505c36ed896f45d4c80

SHA256
ad456cfec2f21004ae79bbe2c1a3a95548d5e6bd473407565cbba020dd4d010b

SHA512
341a18b02a5f778709d560b16cb1a12242e57b663da6a2a51f86d7c15bdf72a502e6df556ea9437c7da5adc8e60be664def04b98da45127f5ee6b5a094ca0be4

Download Submit
C:\Windows\System\NCJhmKo.exe

Filesize
5.2MB

MD5
9ef0b0536006f446813cf44b0f5d461f

SHA1
f646aa2e828f5f59008199eca53c6af3ec508c7b

SHA256
64cbb6192f87f0c72923b4cbdb268c7b4f58f5c9cedd8d3cc943dedd793b09f0

SHA512
c5f58d259e87a70c1e1788531da9f27f87483db6b2f6a394ec8de77096184627705da3f1cd919ce76712bcd7c2748d9a252cdb570f7c62b1f748f47a9352e665

Download Submit
C:\Windows\System\PSSZUMG.exe

Filesize
5.2MB

MD5
1341e0440bf575388be01d33d65977e1

SHA1
acb1ee3dad0ab91662bbd8ac60599be37c29b2ad

SHA256
c13c2d3d3e035abe7446ab051014a99bee4b03a8f3ba2b907eae5f6f235c49cb

SHA512
2e5b01e7956c7cc7c607fa9a5e94b42b5ddeaa61db32d0cb8b9ecc1276d9e8f87bff06a10e64e9d25a8f3aae3689440fbd8468c609a3fc3134671176c496cc15

Download Submit
C:\Windows\System\QPgVvnb.exe

Filesize
5.2MB

MD5
ba456810e9d9eb2c1e4dcea4b8e5b33f

SHA1
393e386367ed0f87e8f2b369bd5ea3376d29ecf1

SHA256
a26726bc4bc04af5ef8968c17c0ed752c1bd1864e9643b04b1fe94f6b6c0c99d

SHA512
640e2cdabf0bcf1709e648801bbe6343040dfe5065da769a11f9145dc8d0534dfdd910a68a64f1bf65c1e47073a8ba14c33e4f8a2572db20822b8c22b5ec0169

Download Submit
C:\Windows\System\VeuAkoe.exe

Filesize
5.2MB

MD5
d3693022a8154c6f9a67d8d7903b3995

SHA1
89018e593786371bed1231f4e3f25f3f4e67d420

SHA256
b3e7cda1f4da6dc8a77193e5e4e8c3b96423aacfe7969fb82c7630d4e18f4932

SHA512
64d3cde9196d03f5f1544a01f7a2f52619c0409426b7114b6f41e344288456a2df521c416638a116b61763642eb6398084d861bd3e35d49ca03079eee46d697f

Download Submit
C:\Windows\System\YMeWtqE.exe

Filesize
5.2MB

MD5
da02d3160b5bf7bd1d1ef9eee666a2f3

SHA1
0f088a093bdb7dd909019d90a048c22fec9718f2

SHA256
ba844adc8e9d5a37377bf6a0c378ce5cf9091425e0c4a9c7a275ddaef1e610aa

SHA512
01d43a1ff844efa17f14f1193c13d6bb3e5b426cd2d34ca7f345a3d415b8e3dd43cd70d53cfab008dea799229e629b2fc232e84d2d3ebc07eccdff8924199fb2

Download Submit
C:\Windows\System\YnOJsUE.exe

Filesize
5.2MB

MD5
b483a9f4c196fadd55403596f3b63459

SHA1
6b195d26494e3d5c12d1e3ff9da59ebc841f5d64

SHA256
f71cc5cb805aa2cf27c20f8d73032ca6b6ee7912b773989ceb5d6ea488b0e728

SHA512
0f12c766020ec5fd2b94e076740ea2ec386981a0e77bf8be7b25c7d37883fe6d99d3a910148b1c3d08948d3d7ed76b0cc5b832988142b0fd9586173b5e55cb48

Download Submit
C:\Windows\System\ausvKcO.exe

Filesize
5.2MB

MD5
8fa9bda8e50d327f88f713964737946d

SHA1
e72be7a0178c284545827af7222ace99c5ef1028

SHA256
3b0dee4c090bbf7d2a68a52ee6b75b1417e95fe4a338d8905f75232d950a7fd3

SHA512
2868a6391d2ea0e98f40cdb5d01f9184406e5030e541141fb3a21c2e62928ec384c9d86bc9a9e774bb67b7924e6eba3907cdd2239ff69ee866746db8c912cb77

Download Submit
C:\Windows\System\avzKvIb.exe

Filesize
5.2MB

MD5
60fa8e26987ad53a3587fd3c6982b60f

SHA1
bd73809b3fb740dfc166ba1f18016353dbf2868d

SHA256
7c83acee0f74ec712b2ef5bcdf5792093c998038a3000165d41e0878522bdbd7

SHA512
a8b7f7755478136ef018c44616fad4bf3a38d902b000f63216a24923d9a11949afd519fa3a70ddbf4a37818a0a629a76aa2eaea2c4a8c682963e6ed396d956f1

Download Submit
C:\Windows\System\dROidZm.exe

Filesize
5.2MB

MD5
f5b35ded7d6cf4094dc6589b5aeb32e7

SHA1
113735ddbc1311381657c1c1d83ba22328fce829

SHA256
99923665d6bde088abd42234ccbbd9f19313b0790011169cb516a033efd051f0

SHA512
b399b59936645e00727971bde469d3a9653106ec5965d2ec2b9424f044498572255529e5d4ef735a242b09ca40aa3845ab8e39c08bf5a43dd63c5e2c80aaf8ac

Download Submit
C:\Windows\System\fmYwbKf.exe

Filesize
5.2MB

MD5
ea2c5399cc28f4a933da2b8ac2bfaf6e

SHA1
e055c96f1f1e47160fd2798970003cf7bccdf98e

SHA256
eed6a009ee1f984e05e3b3bca04e193da6cd1d9ca5e78b415c4c6212316fc91e

SHA512
55253b3c0320d21bb76acbd4b753eb0fb719629078e4b97c10dd425ce48c7a60571122e010c41e488d0200ac3d100709cbc2b09b6fafc9318c9fb6335707a859

Download Submit
C:\Windows\System\fyxlETL.exe

Filesize
5.2MB

MD5
b66c67f06c32427bd647b307881306be

SHA1
852104706edfb28e2b76cfa48f903082689f1ea2

SHA256
60d6ba152656cf80eaf5879a9cb6f82f4e50dccc7e9c4af3d355ce885e626383

SHA512
e6eb35b7ef2a33248e38a291a12b923fe2b2bfea2f2a9ddc225c559fca1073266751a9f8a952cad5f9d6e4e748b536c822e4bcbf051945bea1e03dc39797db7d

Download Submit
C:\Windows\System\iTeFtKx.exe

Filesize
5.2MB

MD5
e3d9930b33227b2cc75d4a2d92a1fa64

SHA1
c27f226efc311392843b6b758ca2d2cebdcc05e3

SHA256
58d2841a061002b0d7b6bf80039aab985535c779ce5d42eb66ebdf4ab2e7a22c

SHA512
f673ced470060caaa123ae7e987a783535da9540208edc89cd8ff261430041e4c5583818480693e5d88d3861c377a2e14b8ec5942400c44b8b9cd81f68e40bb5

Download Submit
C:\Windows\System\jwiHlSv.exe

Filesize
5.2MB

MD5
f557fd37e639b345c0eb0515d0f211bc

SHA1
9494ebfc172e135c16c151a46d374f3759fde8c2

SHA256
ba4dc40a8659e0fc1f1658a25133dd5207a4e08e6d44cd13a907112f09dd095d

SHA512
a1c04071223f8dba0da6871078aa92abc0bdae4d6d30be24573d8894a1e7eb51f3182390b158fa529d5a0029d2cdc327ab082291cb9627076f3fd92d3c90db03

Download Submit
C:\Windows\System\kpangJu.exe

Filesize
5.2MB

MD5
227f8fc6033349006ae89114746b8ecb

SHA1
88dae852c158ee76d4884d738cfdd4e267526f3d

SHA256
28f9e72da2c566b8a741649b778c1497968d7b7d1525e3d0e6cd2316fb6f562c

SHA512
d2f4a422868cce72f024142afe866f3fd31f0a1cb6a6b3d8e90f9c77a7b4e6799477bfb0454039df63000a7b3b62959978a09289751673785a2c37dca23e26a1

Download Submit
C:\Windows\System\mxYkXWl.exe

Filesize
5.2MB

MD5
3dfbcad75338dffc69c8bba61800fefe

SHA1
5211672be555a60b1af3774d98993be965f7fb32

SHA256
2c0bd174cdc8a56a5ed288e7c6597e89e130f77093a220288b222ec5401262f7

SHA512
c0f071e16a318b66ada41dfbf8fd63c5ead6a679bdbe1dd1c28f303b8aa2d93f6c3dfd6b431b145478206199e2a870b2413384b38311d5c5681b281393583152

Download Submit
C:\Windows\System\oaiEheJ.exe

Filesize
5.2MB

MD5
ad739920f82326471bdea284c967d656

SHA1
ab6b9f565c73318689c4c580eb07b413698e3eec

SHA256
916d2c25519ff669bde6f43557fcbb4cef1d15d752fc21fcff4b5ba369a79b53

SHA512
08c344d2afeef3da8a0232d868fe74deb23aae790ceeb538371779035375f2a21a4752535932e3c7488ac18ce03fa4bf3478d02cb056410f401b976343496a33

Download Submit
C:\Windows\System\qjoVEYD.exe

Filesize
5.2MB

MD5
4ab5b7465f70bf32f772394cb2b2e4f7

SHA1
b9f8f25f45a49c4b5763bd97daabf75cf57a691e

SHA256
376a4f6ccfa4ec7967d56c27cb3188b8c159cf261549c26e8464b5624aaedca5

SHA512
6ef2e9cf82d918959bcc538ac3b8580bcb09fdc1f5b96e94d5d188c2225614ee4ddd8455575937ce6851a65e4bfe28755c379ba4b55e0b0a4851b53c64a2a4d5

Download Submit
C:\Windows\System\vOOyTRE.exe

Filesize
5.2MB

MD5
b52f30aa79dbc91b6809146fc7f41858

SHA1
c4e8c3dd996fcc19fc63f22c1889fa05c54e8f7f

SHA256
2ade0abe62525c65a8ee14ca113edcf9fbbf3fd2697e2e8edfe699675882ae6b

SHA512
a964cf28f122b9c077fc3f550a6cee8d028289c82d817256d4ace45488eea511014d9d4e659b7339750b66ecbb3d7ca631bbea2ab247fc617a3143d2c53c9fe2

Download Submit
C:\Windows\System\xXkOObt.exe

Filesize
5.2MB

MD5
04619dc300468259a78830946ce27406

SHA1
c730ad54ac44f3881dbcbfcde11dea6c20941326

SHA256
cf95d6691746fc13419a512009aaa38c19b9c6767c1058c8226bae88855ba5a5

SHA512
1b0bcdddd9787102ab5f163b47d9a1c87873428edfac8ab4f13de06722282d9df478bdb109d2e7c4b20a544347c4af275c2307862aff888d12376c4332154b03

Download Submit
memory/464-261-0x00007FF64E740000-0x00007FF64EA91000-memory.dmp

Filesize
3.3MB

Download
memory/464-127-0x00007FF64E740000-0x00007FF64EA91000-memory.dmp

Filesize
3.3MB

Download
memory/548-242-0x00007FF7872E0000-0x00007FF787631000-memory.dmp

Filesize
3.3MB

Download
memory/548-149-0x00007FF7872E0000-0x00007FF787631000-memory.dmp

Filesize
3.3MB

Download
memory/548-77-0x00007FF7872E0000-0x00007FF787631000-memory.dmp

Filesize
3.3MB

Download
memory/1028-265-0x00007FF7D1670000-0x00007FF7D19C1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-128-0x00007FF7D1670000-0x00007FF7D19C1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-159-0x00007FF674430000-0x00007FF674781000-memory.dmp

Filesize
3.3MB

Download
memory/2068-78-0x00007FF674430000-0x00007FF674781000-memory.dmp

Filesize
3.3MB

Download
memory/2068-0-0x00007FF674430000-0x00007FF674781000-memory.dmp

Filesize
3.3MB

Download
memory/2068-136-0x00007FF674430000-0x00007FF674781000-memory.dmp

Filesize
3.3MB

Download
memory/2068-1-0x0000022B16A50000-0x0000022B16A60000-memory.dmp

Filesize
64KB

Download
memory/2272-86-0x00007FF6E4B00000-0x00007FF6E4E51000-memory.dmp

Filesize
3.3MB

Download
memory/2272-250-0x00007FF6E4B00000-0x00007FF6E4E51000-memory.dmp

Filesize
3.3MB

Download
memory/2272-150-0x00007FF6E4B00000-0x00007FF6E4E51000-memory.dmp

Filesize
3.3MB

Download
memory/2708-236-0x00007FF6AAAC0000-0x00007FF6AAE11000-memory.dmp

Filesize
3.3MB

Download
memory/2708-146-0x00007FF6AAAC0000-0x00007FF6AAE11000-memory.dmp

Filesize
3.3MB

Download
memory/2708-56-0x00007FF6AAAC0000-0x00007FF6AAE11000-memory.dmp

Filesize
3.3MB

Download
memory/2716-222-0x00007FF68DC50000-0x00007FF68DFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-129-0x00007FF68DC50000-0x00007FF68DFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-15-0x00007FF68DC50000-0x00007FF68DFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-151-0x00007FF7139A0000-0x00007FF713CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-122-0x00007FF7139A0000-0x00007FF713CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-252-0x00007FF7139A0000-0x00007FF713CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-49-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp

Filesize
3.3MB

Download
memory/3068-135-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp

Filesize
3.3MB

Download
memory/3068-232-0x00007FF7EBE40000-0x00007FF7EC191000-memory.dmp

Filesize
3.3MB

Download
memory/3184-70-0x00007FF770920000-0x00007FF770C71000-memory.dmp

Filesize
3.3MB

Download
memory/3184-240-0x00007FF770920000-0x00007FF770C71000-memory.dmp

Filesize
3.3MB

Download
memory/3184-147-0x00007FF770920000-0x00007FF770C71000-memory.dmp

Filesize
3.3MB

Download
memory/3416-130-0x00007FF6FC080000-0x00007FF6FC3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3416-21-0x00007FF6FC080000-0x00007FF6FC3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3416-224-0x00007FF6FC080000-0x00007FF6FC3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-258-0x00007FF6E97D0000-0x00007FF6E9B21000-memory.dmp

Filesize
3.3MB

Download
memory/3592-131-0x00007FF6E97D0000-0x00007FF6E9B21000-memory.dmp

Filesize
3.3MB

Download
memory/3608-133-0x00007FF753370000-0x00007FF7536C1000-memory.dmp

Filesize
3.3MB

Download
memory/3608-32-0x00007FF753370000-0x00007FF7536C1000-memory.dmp

Filesize
3.3MB

Download
memory/3608-229-0x00007FF753370000-0x00007FF7536C1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-33-0x00007FF788770000-0x00007FF788AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-230-0x00007FF788770000-0x00007FF788AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-134-0x00007FF788770000-0x00007FF788AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3744-266-0x00007FF66D480000-0x00007FF66D7D1000-memory.dmp

Filesize
3.3MB

Download
memory/3744-125-0x00007FF66D480000-0x00007FF66D7D1000-memory.dmp

Filesize
3.3MB

Download
memory/3932-88-0x00007FF7231E0000-0x00007FF723531000-memory.dmp

Filesize
3.3MB

Download
memory/3932-220-0x00007FF7231E0000-0x00007FF723531000-memory.dmp

Filesize
3.3MB

Download
memory/3932-7-0x00007FF7231E0000-0x00007FF723531000-memory.dmp

Filesize
3.3MB

Download
memory/4056-226-0x00007FF641F80000-0x00007FF6422D1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-26-0x00007FF641F80000-0x00007FF6422D1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-132-0x00007FF641F80000-0x00007FF6422D1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-238-0x00007FF6AF0F0000-0x00007FF6AF441000-memory.dmp

Filesize
3.3MB

Download
memory/4148-68-0x00007FF6AF0F0000-0x00007FF6AF441000-memory.dmp

Filesize
3.3MB

Download
memory/4148-148-0x00007FF6AF0F0000-0x00007FF6AF441000-memory.dmp

Filesize
3.3MB

Download
memory/4252-262-0x00007FF7E0A20000-0x00007FF7E0D71000-memory.dmp

Filesize
3.3MB

Download
memory/4252-126-0x00007FF7E0A20000-0x00007FF7E0D71000-memory.dmp

Filesize
3.3MB

Download
memory/4332-256-0x00007FF7091E0000-0x00007FF709531000-memory.dmp

Filesize
3.3MB

Download
memory/4332-123-0x00007FF7091E0000-0x00007FF709531000-memory.dmp

Filesize
3.3MB

Download
memory/4928-124-0x00007FF604950000-0x00007FF604CA1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-255-0x00007FF604950000-0x00007FF604CA1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-234-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp

Filesize
3.3MB

Download
memory/5028-62-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp

Filesize
3.3MB

Download